I am using Zentyal Os as a firewall, it working fine like blocking http sites and but I am not able to block https facebook site.
My only aim is need to block https facebook site, like need to block 443 port.

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

1

Why are you unable to block using Zentyal? It is just a Linux box, after all. Is it that the admin interface isn't flexible enough? Also, where will you run the iptables rules: on the Zentyal box or a different one?
–
itsbruceOct 29 '12 at 14:25

3 Answers
3

Note: I wrote this hours ago, but I am in Sandy's path so I walked away and forgot to press the submit button

So there are two ways to accomplish this, and both do something different. It is going to be impossible to truly block Facebook as anyone could use a proxy site and get around your restrictions. They could also SSH tunnel out to a server that isn't restricted. None-the-less here we go...

This solution isn't perfect either. DNS is just the base of the naming system, hitting the IP address directly would win. If you own the Internal name server for your network, you could setup an entry for facebook.com to resolve somewhere else. I'd use this in conjunction with the iptables one above.

sslstrip -- not recommended at all

We could even go one step further. If you own all the machines in the network that you are trying to block facebook for, you could generate a Root CA certificate, install the public key on all the machines. Man-in-the-middle all SSL traffic resign all websites with your certs and actively kill facebook connections. However, this is a dangerous idea and has privacy implications (especially in a corporate environment).

As I believe zentyal comes with integrated support for the snort IDS, you could add a snort rule that detects and blocks the SSL packet which contains the server certificate based on a common name that contains facebook.com. That could also address accesses through a proxy (as long as the connection to the proxy itself is not encrypted).

Another approach could be to force all DNS traffic through your DNS server (block domain traffic except to your DNS server) and return something bogus for queries of any facebook.com domain (would not stop access through a proxy though).

DNS approach is definitely the better one. It also allows to put up a catch-all site that can be used to explain the reason for blocking. It's way more fine-grained than any other method. E.g. only apps.facebook.com.
–
0xC0000022LMay 23 '14 at 18:32